On Thu, 26 Apr 2018 19:45:35 -0400, Phil Shafer <[email protected]> wrote: > > Chris Morrow writes: > >ok, cool! so you want cert then key, great! (not clear on the > >format... but..) > > The easiest way to add certs to config is with the "load-key-file" > knob:
sure... but ... that's not what the great-god-of-config-pipeline says we do :) It turns out that: 1) you can do them cert/key and key/cert (doesnt' seem matter) 2) you need to make sure that only end-of-line is \n ... not other spaces :( it would have helped a bit of the error was more clear :( helped me anyway. I think it'd also be nice if I could have loaded the key in one element and cert in another... everyone who requires them jammed together does the ordering differently from the last person :( > >ok.. so that's actually: "Private key and Certificate string" It's > >also not simple to find docs on this at the juniper support site :( > > Here's a too-late-to-help-this-time URL: > > https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ex-series-ssl-certificates-generating.html > thnx! it does (as you say next) not include the key (which has to have it's passprhase removed) in the pem file, it uses the load-from-file option which may not be the preferred manner for the particular operator. it also seems to suggest that using self-signed certs is ok (it's not, really it's not... setup your own ca, mint certs from it, verify certs on connect) a note in the docs that: "self signed certs invite people to mitm your control/monitoring comms with your network... it invites people to be you on your network and do what you can do...you don't want that to happen, right?" would be great to see. > It fails to mention that both sections are needed, though this > kb article does: > > https://kb.juniper.net/InfoCenter/index?page=content&id=KB19726&cat=&actp=LIST > I'm unsure how I would have found this document 'quickly', I did several searches for: "streaming telemetry ssl certificate" tried limiting the results to 'router' things (checkbox in results page)... searching the kb/support/docs is harder than it seems like it should be, oh well. spreading the configuration requirements far and wide in the support/docs seems counter-productive to letting people self-help to a solution :( it's a shame that the docs aren't more clear and more centralized. > >If your primary/first interaction with 'documentation' is the > >command-line usage, then ffs please be precise. > > Apologies for this. end of a long almost done week... good times. thanks for taking the time. _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
